That's interesting. I thought RouterOS was using netfilter/iptables internally todo packet filtering and thous should be traversing chains the same way. So that is not true then? Has Mikrotik written their own packet filtering engine?msundman is right, i just messed it up. Mikrotik is making my Linux skills weak. By the he is right, in linux iptables work on chaingEach chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules first and then the DNAT rules, or you first add all DNAT rules and then the SNAT rules really shouldn't matter.
The DNAT rules will always be processed first anyway as they are processed by the prerouting chain.
Ref: http://www.faqs.org/docs/iptables/trave ... ables.html
1. PREROUTING
2. INPUT
3. FORWARD
4. OUTPUT
5. POSTROUTING
Rules are read in chains following the orders of chain above.
However not same in Mikrotik, rules are read from top to bottom, and i had personally experienced it.
On linux all DNAT:ing is done in the PREROUTING chain BEFORE the routing decision is done, and SNAT:ing is done AFTER the routing decision has been done and therefor is never make any difference whether you add SNAT or DNAT rules first.
When and how is SNAT and DNAT beeing done on ROS then if you are saying that is accually DO matter on ROS.
Can you give me an example of a config that gives different results depending on the whether you have the SNAT or the DNAT rules on the top of the NAT rules list?
Anyone else that can confirm this?